19 Jun 2026
Author
Akash Shakya
The search bar looked fine. The infrastructure was healthy. The API gateway was routing requests. But every query was taking thirty seconds to return — because the embedding model behind the search feature was experiencing a latency spike, and the application had no fallback. No timeout. No alternative path. No degraded mode. Every user who typed a query sat staring at a spinner while the front end waited for an AI service that was not going to respond in any reasonable timeframe.
The product was not down. It was worse than down. It was hanging — functional enough that users kept trying, slow enough that every attempt eroded trust. A fallback to keyword search — less intelligent but instant — would have kept the product usable while the API recovered. Instead, the team spent two hours in a war room diagnosing an issue that a five-line timeout configuration and a fallback route would have handled automatically.
This is the failure mode that separates AI-powered products from traditional software. Traditional services either work or they return an error. AI services have a third state: they return, but the result is not trustworthy. The model might be unavailable. It might respond slowly. It might respond confidently with an answer it should not be confident about. Each of these failure modes requires a different fallback behaviour, and most teams design for none of them.
At EB Pearls, fallback design is specified during the architecture phase — not discovered during the first production incident. With 360+ AI-native developers and 900+ projects delivered across 1,400+ businesses, we have seen every flavour of model failure: API outages, latency spikes, confidence collapse, rate limiting, and the silent failures where the model returns something plausible but wrong. Built to Last™ delivery treats fallback behaviour as a first-class architectural concern, because the question is not whether the model will be unavailable. The question is what your product does when it is.
Why AI Systems Need Fallback Design That Traditional Software Does Not
Traditional software resilience is well understood. If the database is unreachable, the application returns an error. If a microservice is down, the circuit breaker trips. The failure is binary — the service works or it does not — and the response is straightforward: retry, failover, or degrade gracefully with a clear error message.
AI systems break this model. A language model API might respond with a 200 status code — technically a successful response — containing a hallucinated answer that contradicts your product's data. An embedding service might return vectors, but with elevated latency that cascades into timeouts across dependent services. A classification model might return a prediction with a confidence score of 0.51, technically above the default threshold but functionally a coin flip.
These are not infrastructure failures. They are intelligence failures. Your monitoring dashboard shows green. Your uptime metric is 99.9 percent. And your users are receiving results that should never have been served. Traditional observability catches the first category. Only deliberate fallback design catches the second.
The agentic AI delivery process at EB Pearls maps every model interaction to an explicit fallback path during the Discovery Workshop™ — because every model call is a point where the system can fail in ways that infrastructure monitoring will not detect.
The Three Failure Modes That Require Different Fallback Strategies
Designing effective fallback requires understanding that AI failures are not uniform. A timeout requires a different response than a low-confidence result, which requires a different response than an outright hallucination. Treating all model failures the same produces either overly aggressive fallback — bypassing the AI when it could have helped — or overly permissive tolerance that serves bad results to users.
Model Unavailability
The simplest failure mode: the model API is unreachable, rate-limited, or timing out. This is the closest to traditional service failure and the easiest to handle. The response is a circuit breaker pattern with a predetermined fallback path.
For search, the fallback might be keyword matching. For recommendations, the fallback might be popularity-based sorting. For content generation, the fallback might be a templated response. The fallback is always less intelligent, but it keeps the product functional. The key architectural decision is defining the timeout threshold — how long to wait before switching — and the recovery probe that determines when to route traffic back to the model.
Low-Confidence Results
This is the failure mode unique to AI. The model responds, but the response should not be trusted. A classification returns with 53 percent confidence. A generative model produces an answer but flags high uncertainty. A similarity search returns results with low relevance scores.
Low-confidence fallback requires a confidence threshold defined at the product level, not the model level. The model does not know what confidence level your users need. A product recommending movies can tolerate lower confidence than a product recommending medications. The threshold is a product decision that the architecture must enforce — and it must be configurable without redeploying the model.
When confidence falls below the threshold, the fallback behaviour depends on the use case: request human review, return a curated default, surface the result with a caveat, or suppress the result entirely and fall back to a non-AI path. Each option has different UX implications that must be designed alongside the architecture.
Degraded Quality Without Signals
The most dangerous failure mode. The model responds with high confidence, within normal latency, but the output is wrong. This happens during model drift, after upstream data changes, or when the model encounters inputs outside its training distribution. There is no signal to trigger a fallback because the model itself does not know it is wrong.
Defending against this requires output validation — rules, constraints, or secondary checks that verify the model's output against known boundaries. A price recommendation model that suggests a negative price has failed, regardless of its confidence score. A classification model that assigns a category not in the valid set has failed. These guardrails are not fallback in the traditional sense, but they are the only defence against a model that fails silently. Google's Site Reliability Engineering practices for production systems emphasise that output validation is as critical as input validation — a principle that applies with even greater force to non-deterministic AI systems.
How to Architect Fallback Behaviour from Day One
Define fallback paths during architecture, not after launch. Every model interaction in your system should have a documented answer to the question: what happens if this model call fails, times out, or returns low confidence? If the answer is "the feature breaks," the architecture is incomplete. Map each model dependency to a fallback path during the project delivery framework design phase.
Implement circuit breakers with model-aware thresholds. Standard circuit breakers trip on error rates and timeouts. AI circuit breakers must also trip on confidence degradation. If the average confidence score of the last fifty predictions drops below a defined threshold, the circuit breaker should open and route to the fallback path — even if every request returned a 200 status code. Monitor both infrastructure health and output quality.
Design confidence thresholds as configuration, not code. Confidence thresholds will change as the model improves, as user expectations shift, and as you gather production data about what confidence levels correlate with acceptable outcomes. Hard-coding a threshold means redeploying to adjust it. Externalise thresholds to configuration — environment variables, feature flags, or a configuration service — so the team can tune fallback sensitivity without a release cycle.
Build fallback UX as deliberately as primary UX. The fallback experience is still a user experience. A search that silently falls back to keyword matching should still feel responsive and useful — not like a broken version of the product. Design the degraded state: what does the user see, what context do they receive about why the experience is different, and how does the product communicate that it is operating in a reduced capacity? Users tolerate degradation when they understand it. They abandon products when degradation feels like a bug.
Test fallback paths with the same rigour as primary paths. If you have never tested what happens when the model API returns a 429 or a 503, you do not have a fallback — you have an assumption. DevOps practices at EB Pearls include chaos engineering for model dependencies: deliberately injecting latency, errors, and low-confidence responses into staging environments to verify that fallback behaviour works as designed.
Log every fallback activation. Every time the system falls back from the AI path to the degraded path, log it — with the trigger (timeout, low confidence, error), the fallback path taken, and the user impact. This data tells you how often your AI is failing in production, what types of failure dominate, and whether your fallback thresholds are calibrated correctly.
The Search Feature That Hung for Thirty Seconds
An AI-powered search feature launched for a mid-market SaaS platform. The feature used an embedding model to convert user queries into vectors and perform semantic search across the product's knowledge base. At launch, the feature worked well — queries returned relevant results in under two seconds, and user satisfaction with search improved noticeably compared to the legacy keyword implementation.
The architecture had one critical gap: no fallback path. The search pipeline called the embedding API, waited for a response, computed similarity, and returned results. If the embedding API was slow, the search was slow. If the embedding API was down, search returned nothing.
Six weeks after launch, the embedding API provider experienced a latency spike during a capacity event. Response times for embedding generation increased from 200 milliseconds to 15 seconds. The search feature did not timeout — the default HTTP client timeout was 30 seconds, and no one had configured a tighter bound. Every search query sat in the pipeline for 15 to 30 seconds before either returning results or timing out entirely.
The product team's monitoring showed elevated search latency but no errors — because technically, every request was still being processed. It took 40 minutes to identify the embedding API as the bottleneck and another hour to deploy a hotfix that added a timeout and a fallback to keyword search. During that window, search was functionally unusable.
The remediation was straightforward: a three-second timeout on embedding API calls, a circuit breaker that opened after five consecutive timeouts, and a fallback route to the legacy keyword search index that had been retained but was not connected to the production pipeline. The fallback returned less relevant results, but it returned them in under 500 milliseconds. With the circuit breaker pattern in place, subsequent API latency spikes were invisible to users — the system degraded gracefully instead of hanging.
When to Invest in Fallback Design and When a Simple Retry Suffices
Architect full fallback paths if your AI feature is on the critical path of user interaction. Search, recommendations, content generation, classification that drives routing or workflow — anything where the AI being slow or wrong directly blocks the user from completing their task. If the user cannot accomplish their goal without the model, the model needs a fallback.
A retry with exponential backoff may suffice if the AI feature is asynchronous or additive — background enrichment, batch classification, analytics that feed a dashboard rather than a real-time experience. If the user does not notice a ten-minute delay, the resilience strategy can be simpler.
Invest in confidence-based fallback if your model's outputs vary in quality and the cost of a wrong result exceeds the cost of no result. Medical, financial, legal, and safety-critical applications need confidence gating — the system must be able to say "I am not sure enough to answer this" and route to a human or a conservative default. This is not just good engineering. In regulated industries, it is a compliance requirement.
Understanding the trends shaping AI applications makes it clear that as AI moves deeper into critical product paths, fallback design moves from a nice-to-have to a production requirement.
Where to Start
Pick your most critical AI feature. Ask one question: what happens if the model API takes ten seconds to respond? If the answer involves the user staring at a spinner, you have found your first fallback gap. Add a timeout. Add a fallback path. Test it by injecting latency in staging. Then move to the next model dependency and ask the same question.
When you are ready to build AI systems that stay functional even when the model does not, talk to our team. We architect fallback behaviour from sprint one — because the incident that reveals your missing fallback is always more expensive than the fallback itself.
Frequently Asked Questions
What happens to the user experience when AI falls back to a non-AI path?
The user experience during fallback depends entirely on how deliberately the degraded state was designed. A well-designed fallback is transparent — the feature still works, perhaps with slightly less intelligent results, and the user may not notice the difference. A poorly designed fallback feels broken: empty results, generic responses, or features that simply disappear. The key is designing the fallback UX alongside the primary UX so that degradation feels like a reduced mode, not a failure. Communicating the degradation — a subtle indicator that results are from keyword search rather than semantic search, for example — builds trust rather than eroding it.
How do we set the right confidence threshold for fallback?
Confidence thresholds should be calibrated against real-world outcomes, not set arbitrarily. Start by logging model confidence alongside user feedback or outcome data for several weeks. Identify the confidence level below which outcomes degrade — where users reject recommendations, where classifications are corrected, where generated content requires heavy editing. Set the threshold at or slightly above that inflection point. Review and adjust quarterly as the model evolves and as you accumulate more production data.
Can we use multiple AI models as fallback for each other?
Yes, and this is a common pattern for critical AI features. A primary model handles requests under normal conditions, and a secondary model — often smaller, faster, and less capable — serves as the fallback when the primary is unavailable or slow. The secondary model might be hosted on different infrastructure or from a different provider to avoid correlated failures. The trade-off is cost and complexity: maintaining two models means two sets of evaluations, two deployment pipelines, and two monitoring configurations. For critical features, the redundancy is worth it.
How do we test fallback paths effectively?
Test fallback by deliberately triggering the conditions that activate it. Inject latency into model API calls to verify timeout behaviour. Return low-confidence scores from a mock model to verify confidence gating. Shut down the model endpoint entirely to verify circuit breaker activation and recovery. These tests should run in staging on a regular cadence — not just once during development. Microsoft's Failure Mode and Effects Analysis framework provides a structured approach to identifying and testing failure scenarios, which applies directly to AI system fallback validation.
What is a circuit breaker pattern and how does it apply to AI?
A circuit breaker monitors the health of a dependency and stops sending requests when the dependency is failing — preventing cascading failures and giving the dependency time to recover. In AI systems, the circuit breaker monitors model API health (error rates, latency) and model output quality (confidence scores, validation failures). When the circuit opens, requests route to the fallback path. A half-open state periodically tests the model to detect recovery. The circuit closes when the model is healthy again. This prevents a degraded model from consuming resources and serving poor results while appearing to function normally.
Should fallback behaviour be the same in all environments?
No. Staging and production should have the same fallback paths but may use different thresholds and monitoring sensitivities. In staging, you want aggressive fallback — lower confidence thresholds, shorter timeouts — so that fallback paths are exercised frequently and stay tested. In production, thresholds should be calibrated to minimise unnecessary fallback while still protecting users from degraded results. Feature flags that control fallback sensitivity per environment make this manageable without maintaining separate codebases.
How do we monitor whether fallback is activating too often?
Track fallback activation rate as a first-class operational metric. If fallback activates on more than a small percentage of requests sustained over time, it indicates either a model reliability problem or an overly aggressive threshold. Dashboard the fallback activation rate alongside model latency, error rate, and average confidence score. Set alerts for sustained elevation — a spike during a model API incident is expected, but persistent fallback activation suggests the model or the threshold needs attention. Review fallback logs weekly to distinguish between healthy resilience and a system that has quietly stopped using AI for a significant portion of requests.
Discover app development insights and AI trends with Akash Shakya, COO of EB Pearls. Learn how we build successful digital products.
Read more Articles by this Author